Health Care Students Who Frequently Use Facebook Are Unaware of the Risks for Violating HIPAA Standards

Problems With Social Media in the Health Care Setting

Pew Internet Research ² released a survey in 2010 that explained how American adults interact on social networking sites. The Pew sample found that 92% of the 975 respondents participating in social networking sites have a Facebook account and that 52% of these individuals stated that they interact on Facebook on a daily basis. The survey noted that Facebook users are more likely to comment on others’ Facebook posts, statuses, and photos than to update their own Facebook statuses on a daily basis. Women are more likely than men to interact on Facebook, and the younger the user is, the more likely that he or she will comment on others’ posts at least once per day. The survey also demonstrated how social networking platforms have changed social interactions. The average American adult feels more connected to other people when interacting on Facebook and claims to have closer social circles in which to confide and discuss daily events.

Thompson et al ³ conducted a study in 2008 to assess 501 medical students’ and 312 residents’ use of Facebook and their professionalism (or lack thereof) present in their digital profiles. The researchers found that 44.5% of participants had Facebook accounts and that the further students progress in school, the less active they became on the site. Only 12.8% of the residents had Facebook accounts, while 64.3% of medical students each had one. The study demonstrated that only 37.5% of medical students and residents had private Facebook profiles, while the remaining students left their Facebook profiles public and did not implement any additional privacy settings.

MacDonald et al ⁴ conducted a study that examined the use of social networking sites and content posted, as well as the use of privacy settings by doctors who graduated from a university in New Zealand between 2006 and 2007. Their retrospective study assessed 338 newly graduated physician Facebook profiles for availability of content to other Facebook users who belonged to the same network. They found that 65% of newly graduated doctors had Facebook accounts, that 66% of the these doctors frequently accessed their Facebook profiles, and that 63% of the profiles had activated privacy settings. A number of users provided their personal age, friends, and associated groups, including groups with obscene names containing profanity or degrading to the medical profession. The mean number of photographs displayed per Facebook account was 85.8, and approximately half the photos portrayed unhealthy, unprofessional, or obscene behaviors, such as intoxication, nudity, obscene gestures, or cross-dressing. The authors found that several new graduates posted their political and religious affiliations, sexual orientations, and relationship statuses on their profiles. These personal associations may put the medical professional at risk for undermining patients’ trust by leaving patients feeling vulnerable to the health care professionals’ personal opinions or beliefs. A high proportion of users also provided their home or current towns, places of employment, and personal phone numbers to confirm their identities. MacDonald et al noted that these behaviors imply a need to address what it means to be a professional in the medical field.

Gabbard et al ⁵ conducted a literature review to assess the dilemmas created by widespread use of the Internet, as well as to offer recommendations to the medical community for dealing with these dilemmas. They found that problems created by use of the Internet could be divided into three areas: clinical dilemmas, professionalism issues, and ethical concerns. They stated that the expression of a medical professional’s personal thoughts, beliefs, and lifestyle on a social networking site can create a conflict with the medical ethics principles of respect for patient autonomy, nonmaleficence, beneficence, and justice. The information posted online by a medical professional could also alter the patient-provider relationship by introducing patient vulnerability, lack of trust, or lack of confidence in one’s health care provider.

Hader and Brown ⁶ discussed the legal implications of medical professionals posting about a patient interaction online. It is not necessarily an infringement of patients’ privacy for a medical professional to discuss work conditions with family and friends; however, when patient-identifying information is discussed, patient confidentiality has been breached. Hader and Brown advised that health care professionals never post anything about their work online due to the possibility of posting patient information. Identifiable health information includes data that relates to the past, present, or future medical care related to that patient and is considered to be protected health information, and health care workers who disclose patient information may well face criminal consequences of fines and/or inprisonment.^7,8

Chretien et al ⁹ surveyed the deans of student affairs or their representatives and counterparts in 130 accredited U.S. medical schools. Their aim was to determine the number of incidents of students posting unprofessional online content and to classify the type of professionalism infraction. In the event of an infraction, the authors recorded any disciplinary actions taken. Sixty percent of respondents reported that they had incidents in which students posted unprofessional content online. The incidents documented included 52% of students posting content with profanity and 48% using discriminatory language. Thirteen percent reported violations of patient privacy or confidentiality. In addition to responding to survey items, the respondents were permitted to write open-ended responses, and 4 respondents described examples of violations of patient privacy through student blogs or social media postings that did not include patient names but were descriptive enough to identify patients.

While most of the disciplinary actions included informal warnings (67%), 7% of the cases resulted in dismissals, with one respondent specifically identifying a breach of patient confidentiality as the reason for dismissal. ⁹ Schools that reported incidences of online unprofessional behavior, including divulging private health information, were significantly more likely to have a current professionalism policy that covered online behaviors. The authors suggested that institutions with such policies may be more likely to identify infractions, thus contributing to their higher levels of occurrences of unprofessional online student behavior. However, research was not done to determine if institutional policies deter unprofessional online student behaviors, and, more important, it did not describe risk factors or behavioral interventions that might prevent students from making such mistakes.

As social networking sites become further integrated into our society as marketing tools and forums for health care professionals to interact with one another and their patients, the consideration of professionalism while interacting online is essential. The varied examples of HIPAA violations demonstrate that neither students nor professionals are immune from posting private health information on Facebook. The types of problems that can occur when HIPAA is violated online are well documented. Effective policy may help identify the occurrences, but there is no research to date that addresses what initial traits or behaviors put students at risk for violating HIPAA on social media sites. If the risky behaviors could be identified early, then education may be able to prevent such violations. The goal of this research project is to document how students enrolled in medical programs are using Facebook and to assess the students’ general understanding of what constitutes HIPAA violations on Facebook. It is hypothesized that students who frequently update their Facebook statuses will be less likely to identify correctly status updates that are violations of HIPAA.

Methods

An anonymous, institutional review board–approved survey was distributed to 3058 students on a university campus of a health sciences center via the students’ electronic daily newsletter for 3 consecutive days. The survey link was also e-mailed twice over a period of 2 weeks to a subset of 643 students enrolled in one college on that campus. Identifying information and IP addresses were not collected, to ensure anonymity. The survey included questions related to how students use Facebook, how often they access Facebook or update status information, and if certain online scenarios constituted HIPAA violations (see appendix). Questions 1–4 asked about student demographics; questions 5–15 asked about students’ online behavior; and questions 16–23 asked students if a given online scenario constituted a HIPAA violation. The frequency with which students access Facebook or update status information was compared to how they answered the HIPAA scenario questions. The data were collected, and the association was assessed between frequency of updating status on social media and correctly identifying HIPAA violations, according to a chi-square test or Fisher exact test, as appropriate, using SAS 9.2 (SAS institute, Cary, North Carolina, USA). It was hypothesized that 10% of the students who frequently update their statuses and 40% who infrequently do so would correctly identify survey items 16 and 19 as HIPAA violations. It was estimated that a sample size of 72 students (36 per group) would have 80% power to detect this difference with a 5% chance of a type 1 error (the conclusion that a relationship exists when it in fact does not).

Results

There were 137 responses to the survey, including 10 incomplete surveys, for a total response rate of 4.48%. Of those responding to the demographics questions, there were 108 women (86.4%) and 17 men (13.6%), who ranged in age from 20 to 58 years. A total of 53 (41.7%) students indicated that they posted where they work or identified the location of their clinical rotation as part of their Facebook information page or in status updates. Two categories separated the responses to how often students access Facebook, update status information, or post photographs online: frequent and infrequent. The responses were placed in the frequent category if the respondent chose several times a day, once a day, 3-5 times a week, or 1-2 times per week. The infrequent category consisted of responses that indicated every few weeks, less than every few weeks, or never. In sum, 116 students (91%) used or accessed Facebook frequently, and 11 (9%) used Facebook infrequently. Only 45 students (35%) updated their Facebook statuses frequently and 82 (65%) infrequently.

The frequency with which students accessed their Facebook accounts was compared to how often they updated their Facebook status information (Table 1). Of the 45 students who used or accessed Facebook frequently, 100% stated that they also updated their statuses frequently. Of the 82 students who used or accessed social media infrequently, 71 (86.6%) reported that they updated their Facebook statuses frequently when they did access social media, and 11 (13.4%) updated their status infrequently. Those students who used or accessed Facebook frequently were more likely to update their Facebook statuses than were those who accessed Facebook infrequently (P = .007).

OPEN IN VIEWER

Table 1.

Comparison of How Frequently Students Access Facebook and Update Their Status, No. (%).

How Often Do You Access?	How Often Do You Update?
	Frequently	Infrequently
Frequently	45 (100.0)	71 (86.6)
Infrequently	0 (0)	11 (13.4)

The survey analysis focused on two questions, Nos. 16 and 19, which were clear HIPAA violations (appendix). Question 16 asked if it was a HIPAA violation to post a medical image or photo on Facebook even if there is no protected health information visible and there is no face shown; 102 students (82.3%) answered that it is a HIPAA violation. Question 19 asked if it is a HIPAA violation to post about an exciting case witnessed in the clinic with no specifics to the identity of the patient; 104 (81.9%) answered that it would be a HIPAA violation.

Then students were given two questions, Nos. 20 and 23, that presented situations that were not HIPAA violations (appendix). Question 20 asked if it was a HIPAA violation to post on Facebook that you were finding out the sex of your child; 126 (99.2%) answered correctly that it is not a HIPAA violation. Question 23 asked if it was a HIPAA violation to post that “mom had a follow-up appointment with her doctor. Praying the chemo worked”; 39 students (31.0%) answered incorrectly, believing that it constitutes a HIPAA violation.

Each HIPAA scenario, questions 16-23, was compared to how frequently students updated their Facebook status. The complete results of each individual HIPAA scenario are listed in Table 2. There were no significant differences on any of the HIPAA scenario questions compared to the frequency of Facebook status updates, except that students who infrequently updated their status information were more likely to correctly identify question 16 as a HIPAA violation (posting any medical image or photograph on Facebook with the absence of identifying patient information; P = .049).

OPEN IN VIEWER

Table 2.

“Is It a HIPAA Violation?” Frequency of Status Updates and Understanding of HIPAA Violation Scenarios, No. (%).

Response	Frequent Update	Infrequent Update	P Value
Q16: Photo of interesting case, surgery, or medical image if no personal patient identifiers are displayed and no patient face?
No	12 (26.67)	10 (12.66)	.049 a
Yes	33 (73.33)	69 (87.34)
Q17: Complaint about a patient’s annoying family if Facebook states place of employment?
No	7 (15.56)	6 (7.41)	.22 b
Yes	38 (84.44)	75 (92.59)
Q18: “Today, I saw a patient who delivered 10 babies at home and is pregnant again. Perfect example of a need for government supplied birth control.”
No	10 (22.22)	19 (23.46)	.87 a
Yes	35 (77.78)	62 (76.54)
Q19: “Today, I saw a patient who survived getting run over by a truck! Fractured skull, broken leg, and ruptured spleen, but the patient survived!”
No	7 (15.56)	16 (19.51)	.57 a
Yes	38 (84.44)	66 (80.49)
Q20: “Today we are going to find out if we are having a boy or a girl!” (non-HIPAA violation)
No	45 (100.0)	81 (98.78)	1.00 b
Yes	0 (0.0)	1 (1.22)
Q21: “If you are going to be 300 lbs overweight then don’t complain to me when you can’t get your own pants off and get up on the table! Not my problem.”
No	22 (48.89)	38 (46.34)	.78 a
Yes	23 (51.11)	44 (53.66)
Q22: “It was great seeing you today at the hospital. I hope your mom gets feeling better!”
No	3 (6.67)	6 (7.41)	1.00 b
Yes	42 (93.33)	75 (92.59)
Q 23: “Today mom has her follow-up appointment with her doctors. Praying the chemo worked.” (non-HIPAA violation)
No	34 (75.56)	53 (65.43)	.23 a
Yes	11 (24.44)	28 (34.57)

Abbreviation: HIPAA, Health Insurance Portability and Accountability Act.

a

χ² test.

b

Fisher exact test.

The survey asked students if they posted certain types of content in their Facebook status updates, including types of behaviors, venting, or private messages (Table 3). There was no relationship between these behaviors and how frequently students updated their Facebook statuses, but 60 students (47.2%) did not believe that it was a HIPAA violation to post a Facebook status complaining about an obese patient that they treated in their clinical setting; 10 students (7.9%) indicated that they have posted about a rough day in their clinical setting, and 7 students (5.5%) answered that they had sent a private message to someone else on Facebook about a patient whom they treated in their clinical setting.

OPEN IN VIEWER

Table 3.

Information Posted in Student Facebook Status Updates, No. (%).

Facebook Status Update	Yes	No
Do you vent about your day?	30 (23.8)	96 (76.2)
Do you share exciting events about your day?	84 (66.1)	43 (33.9)
Have you ever posted about a rough day at clinic?	10 (7.9)	116 (92.1)
Posted about a good or bad patient experience?	7 (5.5)	120 (94.5)
Have you sent a private message about a patient at clinic?	16 (12.7)	110 (87.3)
Have you indicated where you work or clinical rotation site?	53 (41.7)	74 (58.3)

Discussion

The results indicate an association between how frequently students update their Facebook statuses and whether or not they believe certain Facebook posts constitute HIPAA violations. Contrary to our hypothesis for the sample size calculation, most students were able to correctly identify the online scenarios that would be breaches of HIPAA proposed in questions 16 and 19 regardless of whether or not they were classified as someone who uses Facebook frequently or infrequently to update status. Although the power to detect these differences was somewhat reduced (power = 0.46) for the observed sample size and group proportions, a significant difference between groups for question 16 was still observed. Compared to the infrequent updaters, students who frequently update their Facebook statuses are more likely to believe that posting a photograph of a patient, a surgery, or an interesting case with no identifying information is not a HIPAA violation. The students in this case do not fully understand what can constitute a HIPAA violation.

In many instances, although identifying information may not be included, cases may be unique enough that the patients can be identified just by the facts alone, and health care workers and students have both been disciplined for this type of violation. Thus, there is an opportunity to educate students to be aware that, as the time they spend on social media increases, the more likely they are to post something to it that violates HIPAA. This finding is significant, but there were no other significant differences for the remaining HIPAA scenario questions. There is not a clear explanation for this result. The questions may have been poorly written, leading the respondents to a particular answer, or the result could simply be a chance finding.

Although most students were able to identify questions 16 and 19 as HIPAA violations, students had difficulty correctly answering question 21 (HIPAA violation) and question 23 (non-HIPAA violation). Question 21 asked students if it was a HIPAA violation to complain about an obese patient in their Facebook status; 60 respondents (47.2%) did not believe that it would be a violation. Students did not recognize obesity to be part of protected health information; however, obesity can be patient-identifying information when combined with date and location of patient interaction. Question 23 asked students if it was a HIPAA violation to post a Facebook status about his or her own mother’s chemotherapy treatment; 39 (31%) respondents thought that it would be considered a HIPAA violation. Although it could have been a poorly written question, the response outcome raises an additional dilemma beyond the scope of this research. If a layperson posts about his or her family members’ health or treatment plan, it is not considered a HIPAA violation, because they are not health care workers and therefore not under the regulations of HIPAA. However, can a health care worker be held to a higher standard of privacy even if it is his or her own family’s information that is being divulged? In general, health care workers do not directly treat their family members, so is information learned through other channels considered a HIPAA violation if discussed at a later time? Additional guidance from professional organizations may be helpful to assist health care workers with best practices regarding posting health information of family members. The responses to questions 21 and 23 indicate that there is still confusion about what qualifies a situation as a HIPAA violation.

Students at the university where this survey was distributed must complete annual HIPAA training. This training is geared toward students, faculty (including practicing clinicians), and staff, but it does not cover social media specifically. In spite of this annual training, the response to questions pertaining to online behavior is a cause for concern (Table 3). Students admit to posting Facebook statuses to vent about their day or to complain about a rough day in their clinical setting or about a patient experience. In addition to making inappropriate postings about experiences in the clinic, 41.7% of students posted where they work. They also reported using private messages to share information about cases with classmates, and this action violates the “need to know principle” in HIPAA. ⁸ The results of this survey indicate that students are able to recognize HIPAA violations when they are obvious violations of identifiable patient information, but students do not clearly understand what constitutes a HIPAA violation when protected health information is not directly stated or addressed.

Similar to the PEW Internet sample, the students in this survey are more likely to access Facebook than update their Facebook status information. ² Pew Internet research demonstrated that students are more likely to comment on another’s Facebook status or post than to update their own Facebook statuses. This study did not assess how often students comment on their peers’ posts. Comments on a post that includes a HIPAA violation may place a student at risk of a HIPAA violation simply by engaging in the discussion.

The results of this study confirm the hypothesis that frequency of status updates is inversely associated with the ability to identify those that are violations of HIPAA, with students who update infrequently being more likely to identify the HIPAA violations correctly. Even though the results from this study have only one significant finding related to the hypothesis, it highlights that many students cannot correctly identify HIPAA violations. It can be argued that any breach of HIPAA is significant, suggesting that further research needs to be done to confirm this finding as well as identify what specific social media habits put students at risk for violating HIPAA online and the best ways to train health care professionals to avoid HIPAA violations.

The results of this study should be interpreted with caution. Since the IP addresses were not collected to ensure anonymity, students could have taken the survey multiple times, although this seems unlikely due to the time demands placed on them. The electronic student newsletter is e-mailed to students only, but it is available online. There is a small possibility that nonstudents could have accessed the survey through the student newsletter by visiting the student website. Due to the limitation in the number of respondents, there may not be enough power to detect small differences should they exist. Students who choose to respond to an online survey published in the electronic university newsletter may not be representative of the average student. The survey respondents were predominantly women, who may have different social media usage patterns or interpretations of HIPAA as compared to men. Some students may have had specific training in online professionalism as a part of their programmatic curriculum beyond the required university training, which is not accounted for in this survey but could influence students’ responses to the scenarios. In terms of what constitutes a HIPAA violation, students may answer more conservatively on a survey than what would be reflected in their actual online behavior. Finally, this survey asked students to identify how they use social media and what they believed would be a HIPAA violation on social media, but it did not access their Facebook pages to determine if their beliefs were consistent with the types of content and status updates that they actually post to social media.

Conclusion

Social media has changed interaction among individuals. It is important for all health care providers to be aware of what constitutes a HIPAA violation when posting to their social media sites. Educational programs need to educate students about online professionalism because students who are just beginning to develop a sense of professionalism may not realize that their online behavior is perceived as a component of their professional lives. The frequency that a student updates a Facebook status appears to be associated with a risk of violating HIPAA online. Further research is needed to identify what additional characteristics put students at risk for violating HIPAA so that interventions may be developed to prevent students from behaving unprofessionally or unlawfully through social media.